In my environment, Heavy forwarder acts like syslog server gathering logs from sources and I have configured rsyslog to use particular location through a rule which is shared below.
$RuleSet {rule_name}
$template dsm,"/opt/splunk/syslog/dsm/%fromhost%/%$YEAR%-%$MONTH%-%$DAY%.log"
$RuleSet {rule_name}
. -?dsm
& ~
$InputUDPServerBindRuleset {rule_name}
$UDPServerRun {udp_port}
This basically listens to udp_port that has been configured on the DSM and will store logs. Later, these logs are forwarded from HF to indexers such that data gets indexed. Also, I have configured the inputs file.
[monitor:///opt/splunk/syslog/dsm/.../*.log]
sourcetype = deepsecurity
index = dsm
host_segment = 4
disabled = false
I tried to search by using sourcetype=deepsecurity-antimalware in UI but no results.
Is there anything I have configured on the App just like the inputs file or create any regex to assign the sourcetype ?
... View more